Quantum hacking: adding a commercial actively- quenched module to the list of 
single-photon detectors controllable by Eve 
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We show how PerkinElmer SPCM-AQR actively-quenched detector module can be controlled by 
an eavesdropper. The scheme uses bright optical pulses to get the detector blinded. In this mode, 
one can trigger a detector click controllably (with sub-nanosecond time jitter) if one applies at its 
input another bright optical pulse above some intensity threshold. This loophole may be exploited 
to launch an intercept-resend (faked-state) attack against quantum cryptosystems using these de- 
tectors. An example is given in the case of a four-state protocol implemented with polarization 
coding. 



Over the past twenty years, quantum key distribution 
(QKD) has progressed from a tabletop demonstration to 
commercially available systems and experiments with se- 
cure key exchange possible up to 100 km and growing. 1 
Security of these cryptosystems is based on the impossi- 
bility, in principle, to reliably copy an a-priori unknown 
quantum state, as accounted for by the no-cloning the- 
orem. However, security also relies on the assumption 
that the electro-optical devices which are part of quan- 
tum cryptosystems do not deviate from model assump- 
tions made to establish security proofs This second 
range of security threats, which target component imper- 
fections, has already been successfully exploited by one 
of the authors to take control of widely used single pho- 
ton detectors, namely InGaAs-based modules at telecom 
wavelengths^ and silicon-based (Si) modules in the 500- 
900 nm wavelength range. 5 In the latter case, the con- 
trolled modules used passively quenched avalanche pho- 
todiodes (APDs). However, among the 26 reported ex- 
periments employing Si APDs, roughly half use active 
quenching. 5 Until recently, PerkinElmer SPCM-AQR 
module and its four-channel version (SPCM-AQ4C) have 
been the only commercially available Si single-photon de- 
tector models. In this Letter, we show that the SPCM- 
AQR module can also be controlled by an eavesdropper. 
The attack exploits the generic "blinding" behavior of 
such APDs, whose single-photon sensitivity can drop to 
exactly zero when illuminated well above single photon 
leveP (optical peak powers used here are between 1 and 
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10 mW at 780 nm). 

The part of the detector electrical circuit relevant to 
the understanding of the presented control method is 
shown in Fig. [Tj To the left of the APD is a high- volt age 
power supply circuit. In normal single-photon regime, it 
provides stable bias voltage at the cathode of the APD 
(the two detector samples we tested had stable bias volt- 
ages of 350 V and 410 V, respectively). To the right of 
the APD is a circuit which senses the onset of avalanches. 
Active quenching is accomplished by connecting the an- 
ode of the APD to +30 V, with the effect of lowering 
the voltage across the APD below the breakdown volt- 
age. 20 ns after quenching, the circuit is reset by briefly 
connecting the anode of the APD to the ground. 

When the APD is illuminated by a bright optical pulse, 
the current through it is much larger than during an ordi- 
nary single-photon avalanche. A current limiting circuit 
connected to the cathode of the APD kicks in and limits 
the current pulse to about 10 mA. This current is drawn 
from the decoupling capacitor C9, whose other end is 
connected to the output of a low-power operational am- 
plifier (OA) U7.1 (Texas Instruments TLC2262). This 
OA is relatively slow and has a maximum load current 
significantly lower than 10 mA. Over the next microsec- 
ond following the current pulse that exceeds the OA load 
capacity, its output voltage produces a 1 V deep dip. As 
it turns out, this output voltage controls, through a high- 
power MOSFET Qll, a miniature high-voltage DC/DC 
converter module U6. In result, when the APD is illumi- 
nated by bright optical pulses with a certain frequency 
(typically above 70 kHz), the input power of U6 gets dis- 
rupted with the same frequency. Inside U6, the switching 
circuit appears to phase lock or fractionally phase lock to 
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FIG. 1: PerkinElmer SPCM-AQR module. Equivalent diagram of the high- voltage power supply, avalanche sensing and 
quenching circuitry (reverse engineered from sample with PCB labeled "EG&G P/N 2580883 rev. G"). 



the frequency of disruptions, so that U6 significantly re- 
duces its output voltage, depending on the frequency and 
intensity of the optical pulses, as shown in Fig. |2j When 
the APD bias voltage drops by more than 12-14 V, the 
rate at which the detector clicks becomes exactly equal to 
the frequency of the optical pulses. In other words, be- 
tween two consecutive pulses (denoted as control pulses 
thereafter), the detector becomes totally insensitive to 
single photons, dark counts and afterpulses, producing 
no extra clicks whatsoever. In contrast, outside of the 
complete control range, it produces random clicks at a 
typically much higher rate than the control pulses. 

While the detector is blinded between two control 
pulses of sufficient frequency and peak power, it is possi- 
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ble to make it click controllably if one applies at its input 
a shorter pulse above a certain intensity threshold. This 
is illustrated in Fig. [3j It shows that in the so-called 
"blinded" mode, pulses of 8 ns typical width trigger a de- 
tector click with unity probability and sub-nanosecond 
time jitter at a nominal peak power (case a), while at 
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FIG. 2: (Color online) APD bias voltage vs. frequency and 
peak optical power P CO ntroi of rectangular 50 ns wide input 
optical pulses. Normal bias voltage at low count rate for this 
detector sample is 350 V. Filled symbols denote pulse param- 
eters at which the detector got under complete control, see 
text. The control pulses do not have to be very regular to get 
the detector under control. Actually, a fast deeply frequency 
modulated pulse sequence works too. 



FIG. 3: (Color online) Oscillogram at detector output (blue 
trace) illuminated by bright optical pulses (red trace) made 
of control pulses (8.5 mW, 50 ns wide, 230 kHz repetition 
rate) to blind the detector, and of weaker trigger pulses (8 ns 
wide), which make the detector click with unity probability 
and sub- nanosecond time jitter only above a certain intensity 
threshold (detector always clicks in case a, never clicks in 
case b). 
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FIG. 4: (Color online) Intercept-resend (faked-state) attack Eve could launch against a QKD system which runs a four-state 
protocol with polarization coding and passive choice of basis. In the example, Eve targets the detector recording vertically 
polarized qubits, in the horizontal/ vertical (H/V) basis. Eve sends (1) control pulses with an incoherent mixture of H and V 
polarizations (to keep all four detectors blinded when she is not sending faked states) and (2) a faked state with V polarization 
and intensity Io set slightly above the threshold after basis choice to address the target detector. The detectors recording H 
and V polarized qubits in the conjugate (45° rotated) basis will each receive a pulse of intensity Io/2 below the threshold, and 
thus will remain blinded. In the diagram: BS, beamsplitter; PBS, polarizing beamsplitter; HWP, half- wave plate. 



slightly more than half this intensity, the detector re- 
mains blinded (case b). 12 This feature is the last missing 
ingredient Eve needs to stage a successful intercept-resent 
(faked state) attaclP on a QKD system using such detec- 
tors. 

As an example, let us consider a QKD system which 
runs a four-state protocol with polarization coding and 
passive choice of basis at the receiver side (Bob), as is 
often the case with QKD systems using Si detectorsP 
This is illustrated in Fig. [4j We assume Eve owns an ex- 
act replica of Bob's detection apparatus, with which she 
intercepts and measures the polarization state of each 
qubit sent by Alice. In order to run a successful attack, 
Eve must resend faked states that will force her detection 
results onto Bob in a transparent way. Provided that all 
four detectors are blinded by her control pulses, Eve can 
send an optical pulse in the quantum state correspond- 
ing to the target detector (e.g., vertically polarized pulse 
with peak power right above the intensity threshold). In 
the conjugate basis, the 45° rotated pulse will be split 
equally at the PBS, and with pulse intensities reduced 
by half (thus below the threshold) the detectors will re- 
main blinded. 

The attack should also work with active choice of ba- 
sis (in this case, the target detector will click if Bob 



chooses the same basis as Eve, and otherwise his two de- 
tectors will remain blinded). The attack should as well 
be successful if decoy states are used, since Eve does not 
launch any photon-number splitting attack hereP The 
only thing that betrays her presence is the simultaneous 
arrival at all detectors of the control pulses with a rate 
of at least 70 kHz. In some QKD systems, these may 
be ignored by Bob as falling outside his post-processing 
gating time window. In free-space systems operating in 
daylight, these pulses may be mistaken by Bob for normal 
background count rates. 

As we write this Letter, one other control mode has 
been uncovered with this detector (to be reported soon) , 
and we anticipate other vulnerabilities to be exploitable 
by Eve. We think that use of PerkinElmer detectors as 
they are in QKD systems does not guarantee security. 
Several reported experimental QK D systems using these 
detectors are potentially vulnerable! 7 * 8 l 9 l 1Q 3ni Identifying 
and patching such loopholes is a required process to bring 
realistic implementations at the level of unconditional se- 
curity envisioned by theoretical proofs 
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(France), http:/ /www. smart quant um.com/. 
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The actual value of the intensity threshold depends on the 
timing of the trigger pulse relative to the other optical 
pulses. The intensity thresholds were identical for the first 
two detector samples we have tested; however for a third 
detector sample that was manufactured several years later 
the threshold values were different. 



